Re: libaudit: android support

On Wed, Oct 15, 2025, 09:15 Jean-Jacques Pitrolle <jean- jacques.pitrolle(a)sysgo.com <mailto:jean-jacques.pitrolle@sysgo.com>> wrote: Hi, I don't know if you forget to add the list as CC so i answer you directly and send it to the list if you are okay. Oops, yeah all re-add the list. On 14/10/2025 19:52, William Roberts wrote: > On Tue, Oct 14, 2025 at 12:09 PM Jean-Jacques Pitrolle > <jean-jacques.pitrolle(a)sysgo.com <mailto:jean- jacques.pitrolle(a)sysgo.com&gt;&gt; wrote: >> >> Hi Bill >> >> On 14/10/2025 18:54, William Roberts wrote: >>> I did a rewrite of libaudit for Android and it was merged into logd. >>> It's been a long time since I have looked at it, >>> but AFAIK, the logs should be available via logcat. None of this will >>> be part of the ndk if you want to build against it, >>> it's really a system only level thing. >>> >>> Here is where that libaudit code lives now: >>> https://cs.android.com/android/platform/superproject/main/+/ main:system/ <https://cs.android.com/android/platform/superproject/ main/+/main:system/> >>> logging/logd/libaudit/libaudit.cpp >> >> Thanks for your quick answer. >> >> Okay at least something exists for libaudit. I need to take a look on it >> to see how i can use it. > > Ultimately you need permissions to the netlink socket that the audit > subsystem uses, > and that is not available to typical android applications, you would > need to build your > own custom Android that exposes that. However, that would violate the > required CTS > for Android branding IIRC. I think at the end it is a *problem* to build my own Android to access the netlink socket. My purpose is to stick as much as possible to a vanilla Android: so avoid as much as possible specific modification. Yeah so you want to write an application for Android.

> >> >> And what about libauparse? > > I don't believe that is there. > >> Should i consider to build it myself with Android build environment? > > You can grab and build anything, code is code, but the biggest part of > the way Android containers > work is, "Will I have permissions to get at the resource". If you just > want to look at the messages, > it's in logcat, and you can build an application that has the > permission READ_LOGS IIRC, in the > Android Manifest to look at logcat and then look for selinux/ audit messages. Hmm i'm not very familiar with Android execution environment. I want to create a C/C++ application (not Kotlin/Java..) an i don't know if a manifest is required. I need to do my 'Android architecture' homework before to have a clear understanding of the pre-requisite for my use case. Yeah this jargon is just part of the steps to create an application. Just a quick look, there is an open source Android logcat reader application: - https://github.com/darshanparajuli/LogcatReader <https://github.com/ darshanparajuli/LogcatReader> You could probably just modify that. I believe the Android NDK allows pure native applications, but ultimately in Android now, even Java/Kotlin gets reduced to native ELF binaries through OAT which is a play on AOT which is Ahead of Time Compilation. Essentially the byte code gets translated into a shared library loaded up by a framework and executed IIUC/IIRC. I would recommend just using Kotlin because of the support, and you can call any native functions, like things from libauparse, from Kotlin. When I used to Android it was all Java and JNI, I would imagine it's essentially JNI for Kotlin too, but don't quote me.

> > More about your ultimate goal would help me understand and formulate a > better response if you > can share that? My ultimate goal is to read audit/log events from various daemons like auditd, syslogd, .. and transform those events to a format closed to Qualified Security Event defined by AUTOSAR[1]. On a GNU/Linux distribution the services are "well" defined and known (at least by myself ^^) On an Android it seems that *everything* is logged by logd/logcat. Yeah logcat is the central logger, so create an application that listens to logcat, then look for the events you care about and reformat them as needed calling libauparse.